hi,
I want to install the most secure setup that I could find:
hardened gentoo (PaX with RSBAC) on a fully encrypted SSD with the unencrypted boot information on a USB-stick and LVM over the encrypted disk.

Note: using an SSD to store confidential data needs more consideration because of the way that an SSD relocates data in order to provide "wear levelling". Should an attacker have unfettered physical access to the drive, they will be able to read data that the operating system appeared to have overwritten by bypassing the flash controller. Even if you filled the entire disk, there's a large amount of "hidden" space for wear levelling that will contain previously written and now discarded data. You should instead consider using an SSD that does its own encryption.

but no information how to do that.

third question:
I've heard that skype and hardened project features don't work or don't work easy together, is this true? and are there big performance issues with this setup? my machines are pretty new (T420s), 15 seconds boot time without optimization (standart amd64 desktop profile, nothing encrypted), but too much lack of performance wouldn't justify my interest in a fortress like system.

btw, only because I'm paranoid doesn't mean that "they" aren't following me..

Last edited by LoTeK on Fri Jan 25, 2013 7:41 pm; edited 1 time in total

But I have fully encrypted disks (doesn't really matter if SSD or HDD), boot on USB (with encrypted keyfiles - attacker needs both the stick and my password to get at the HDDs), and root on LVM on LUKS on mdadm.

You should not have to worry about SSD wear leveling if you never put unencrypted data on it. So it gets relocated, so what? It doesn't make decryption any easier.

Quote:

and are there big performance issues with this setup?

If your CPU does not come with AES-NI support, or if you're not using AES for encryption with such a CPU, you will lose the speed of your SSD to the encryption. It's just not that fast (can't even utilize full HDD speeds).

But I have fully encrypted disks (doesn't really matter if SSD or HDD), boot on USB (with encrypted keyfiles - attacker needs both the stick and my password to get at the HDDs), and root on LVM on LUKS on mdadm.

Cool.. but I thought the "boot stuff" have to be unencrypted?! So you boot up and have to enter the password for the encrypted keyfiles before anything else, or how does this work?
do this setup need more experience?

So I sense that you aren't very excited about the hardened project, if not, why?

I guess hardening has a tendency of breaking things.

I do run hardened gentoo on desktop and notebook, so it is perfectly possible.
But if you need proprietary application or worse kernel modules (vmware, graphic drivers et all) you may have to switch to a normal kernel and thus have a lower level of hardening.

Quote:

Quote:

But I have fully encrypted disks (doesn't really matter if SSD or HDD), boot on USB (with encrypted keyfiles - attacker needs both the stick and my password to get at the HDDs), and root on LVM on LUKS on mdadm.

Cool.. but I thought the "boot stuff" have to be unencrypted?! So you boot up and have to enter the password for the encrypted keyfiles before anything else, or how does this work?
do this setup need more experience?

You still need some part of the that is not-encrypted to boot - if that is a separate boot partition or some kind of usb stick is up to you.

frostschutz mentioned something else: there are 3 possibility to store passphrases: not at all (i.e they need to be entered as password), in a key file (which in case of the root partition defeats the purpose of encrypting imo), and in an encrypted key file.
The last option still forces you to enter a password (to decrypt the key), but it allows long (and therefore 'stronger) password/passphrases.

genkernel allows the use of encrypted key files, but they use a slightly different method of decrypting the luks/dm-crypt container than dmcrypt used in openrc. If you put everything into one large lvm, that you should have to worry, if you need some additional partitions decrypted (which are not handled by the initrd) then you need to be careful.

Quote:

third question:
I've heard that skype and hardened project features don't work or don't work easy together, is this true? and are there big performance issues with this setup? my machines are pretty new (T420s), 15 seconds boot time without optimization (standart amd64 desktop profile, nothing encrypted), but too much lack of performance wouldn't justify my interest in a fortress like system.

I haven't look in detail at skype, but the latest version 4.x seems to work with a hardened kernel.

The performance impact comes mainly from encrypting/decrypting the data during read and write. I never compared a plain ssd to a encrypted on, but imo the performance impact is not that big.

just my .02$
V.

PS. if some parts are unclear, feel free to ask back._________________read the portage output!
If my answer is too concise, ask for an explanation.

But if you need proprietary application or worse kernel modules (vmware, graphic drivers et all) you may have to switch to a normal kernel and thus have a lower level of hardening.

is it possible to have a hardend and a normal kernel on the same system? and to switch profiles?

Quote:

genkernel allows the use of encrypted key files, but they use a slightly different method of decrypting the luks/dm-crypt container than dmcrypt used in openrc. If you put everything into one large lvm, that you should have to worry, if you need some additional partitions decrypted (which are not handled by the initrd) then you need to be careful.

ok, so I'll go with the option that don't stores passwords... I want to put everything in one large lvm (the SSD is only 160 GB), is there a specific reason why one could need decrypted partitions?

As for SSD's with their "own encryption" there are certain SSDs out there that will encrypt the data along with lock the drive with the ATA password. This is different than many mechanical disks that simply lock the ATA interface when it's "protected" which can be defeated by overwriting the password/replacing the nonvolatile memory that contains it. The only consumer SSD that I know of off the top of my head that has AES encryption is the Intel SSD520 series, but if that has encryption, likely many other Sandforce SSDs will as well. The advantage of this hopefully is the whole disk including metadata is encrypted, blocks can't be discerned as old or new, and might well be considered secure erased when put into the spare block/wear levelling pool. A layered software full disk encryption, it's possible to query the controller which blocks are in the deleted/spare pool and look for "interesting data."

Mount the boot partition.
mount LABEL=boot_stick /mnt/gentoo/boot
Create a boot -> . symlink
ln -s . /mnt/gentoo/boot/boot
Run grub-install.
grub-install --root-directory=/mnt/gentoo/boot /dev/sdu
Create a menu.lst -> grub.conf symlink
ln -s grub.conf /mnt/gentoo/boot/grub/menu.lst
Of course, you have to create the grub.conf itself for grub to know what it is supposed to boot. The following example is sufficient for booting a kernel with integrated ram disk, like the one you compiled earlier.
File: /mnt/gentoo/boot/grub.conf

in essence you need to tell the kernel, where to look for the encrypted root partition (crypt_root=/dev/sda3, adapt to your system), then tell the kernel, where the decrypted device is located (real_root=/dev/mapper/root - this is the configuration if genkernel is used!)

which method are you using? dmcrypt or luks?

I am not using LVM, but this might help in the setup - if I understood correctly, you only need to add dolvm to the kernel line.

V._________________read the portage output!
If my answer is too concise, ask for an explanation.

Root on LVM works fine. However if you have a separate /usr partition, you have to mount that too.

But if you don't even get a rescue shell, something is wrong.

As for the kernel parameters, those are only required for genkernel initramfs. In your own initramfs, the root etc. parameters do not matter, unless you write code to evaluate those parameters in your init script.

http://en.gentoo-wiki.com/wiki/Initramfs is what I wrote in its stead and it works fine unless you miss something (like, modules - anything required to boot should be builtin unless you want module files in the initramfs).

If you're still following that Initramfs wiki page, can you upload your initramfs and kernel image somewhere. I'll have a look at it.

I've reinstalled the whole system because I thought I should move the root on a separate partition. Then I've read your post and put everything in one LVM-partition, so now I have /dev/sda encrypted with LVM on top:

I've followed your new initramfs page (the old one only for the boot-stick), now it's a bit different, I'm still not asked to prompt my password and during the boot-process the line : "something went wrong, dropping you in a rescue-shell" appears, but I'm not dropped into it.

then "/dev/sda doesn't exists or access denied" appears, so I guess the problem is the encryption?! First I forgot to copy /dev/{random, urandom}, then the line "/dev/random not found" appears, but then I've copied both and it's still not working...

Unless I missed something in your Kernel config, making sure the device nodes are present should get the rescue shell working, and once that works, you have something to work with in the Initramfs itself to figure out why the rest is not working as it should. E.g. in the rescue shell you could cat /proc/partitions to see if the kernel sees your HDD at all, otherwise there'll be a driver missing or modular when it should be builtin. Your config looks like it should support AHCI SATA disks though, if that's what you have.

oh guys, can you believe it?! I've done it
I don't know if it didn't work before, because I didn't copied the standard device nodes (now I've done it). I just entered the password during boot time and then it worked, strange...
I was asked to prompt it (maybe even before), but the process continued ( ca 15 lines ), then it stopped, then I entered the password and then I could log in. Is there a way to get a "nicer" prompt for the encryption password?

no I want to see messages too, but I mean I've not been ask to prompt my password, I just enter it during the boot process, during messages are appearing...I want that messages are appearing, then I should asked to prompt the password, after that, messages should appearing again...

cryptsetup should display a "Enter passphrase for /dev/dubdedoo: " when it asks you for the password. This works fine for me.

It's only possible that the kernel detects some hardware with delay, and while that happens it prints messages after cryptsetup already printed its prompt. So you don't see the prompt anymore because it scrolled off the screen. And to prevent that from happening you can disable kernel printk while you type your password.

If you don't see a prompt whatsoever but can enter the password anyway, then I'm not sure what's happening.

The prompt is probably there, but the asynchronous diagnostic output (while it scans usb, scsi, etc.) is probably scrolling past... A cheap way out is to add a delay and wait a few seconds for things to settle, then prompt for the password?_________________Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSDWhat am I supposed watching?

You were supposed to replace cryptsetup foo bar with your own cryptsetup line - i.e. just add the printk stuff before/after your prompt command. did you do that?

haha, yes of course, I don't like the "copy-paste mentality"
ok, I'll try it with sleep...
and just to know for sure, in your case the messages "wait" until you entered your password or they also go on and you don't care (because it's not that important )

Any messages occuring during the printk are simply not shown. It should work (if proc is mounted and all). So while I have the prompt the kernel is quiet. (But the messagess show up in dmesg/syslog later).